Wednesday, September 28, 2011

Sept. 23 CVE-2011-1991 type (1) deskpan.dll Windows components DLL loading vulnerability


These 4 phish message attempt to utilize CVE-2011-1991 type (1) deskpan.dll in the Display Panning CPL Extension. Here is a clear explanation of the deskpan.dll functionality  - it is "a module related to the display settings of pictures on your display screen" It is normally located in C:\ windows\ system32\. The phishing messages contain a word document (0/44 on VT) and a dll file called deskpan.dll in one zip or rar archive, which is in fact a Taidoor trojan dll unrelated to the authentic Windows library. This exploit has strict requirements for execution. I have not been able to meet them and get it to work, just like in Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z,  it is hard to trigger. A reader sent explanation how his exploit can be triggered -

He wrote the following:

CMD.EXE executes vercslid.exe eveytime when a document file (doc/rtf/txt or jpg) is invoked from the command interpreter.
It is important that the name of the current working directory of CMD.EXE is "(something){42071714-76D4-11D1-8B24-00A0C9068FF3}"and the directory contains both a (malicious) deskpan.dll and a (trigger) document file.
 

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-1991

Windows Components Insecure Library Loading Vulnerability
Description:     Multiple untrusted search path vulnerabilities in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allow local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .doc, .rtf, or .txt file, related to (1) deskpan.dll in the Display Panning CPL Extension, (2) EAPHost Authenticator Service, (3) Folder Redirection, (4) HyperTerminal, (5) the Japanese Input Method Editor (IME), and (6) Microsoft Management Console (MMC), aka "Windows Components Insecure Library Loading Vulnerability."

   General File Information

1
File: 1_multipart_xF8FF_2_Letter 878-Date Direct Consultation.zip
MD5:  08344dcfe36e304dd858bd709ccff01c
deskpan.dll
MD5   : 027ada87ca5051f0c4108a0346e9b213
1_multipart_xF8FF_2_Letter 878-Date Direct Consultation.doc
MD5   : 027ada87ca5051f0c4108a0346e9b213
----------------------------------------------------------------------------------------


2
File: ATT48239.rar
MD5:  9e51bccbd341e3767caf1b717f84fed5
deskpan.dll
MD5   : 95eba76c46e6a5e516de4b1a2cbe052e
doc
MD5   : a67c7842e395dfd82b133c31d1cc83ee
----------------------------------------------------------------------------------------


3 
File: ATT79018.rar
MD5:  41bad26335f09835b3fd6a54015e32aa
deskpan.dll
MD5   : 95eba76c46e6a5e516de4b1a2cbe052e
doc
MD5   : 9bbdc627e72941c4a7f15aaff1faa934
----------------------------------------------------------------------------------------


4
File: .{42071714-76D4-11D1-8B24-00A0C9068FF3}.rar
MD5:  7a581f612befcb8163270d5c88f01cdf
deskpan.dll
MD5   : 95eba76c46e6a5e516de4b1a2cbe052e
doc
MD5   : 13bf854264b79b99b0b5e501c797693c



Download

Original Message \

1.

 From: Indonesia Asean [mailto:aseanindonesia@yahoo.com]
Sent: Tuesday, September 20, 2011 7:43 AM
To: xxxxxxxxxx
Subject: Date of the SEANWFZ Direct Consultations between ASEAN and P5 Nuclear Weapon States, New York

Dear Sirs/Mesdames,

Enclosed herewith letter from Director for ASEAN Political-Security Cooperation, informing the date of the next Direct Consultations between ASEAN and P5 Nuclear Weapon States, which will be held on 4 - 6 October 2011 in New York.
A Tentative Programme of the Direct Consultations is also attached for your kind reference.
Thank you for your attention and continued cooperation.


Regards,
--
Ardian Budhi Nugroho (Mr.)
Directorate of ASEAN Political Security Cooperation
Directorate General of ASEAN Cooperation
Ministry of Foreign Affairs-Indonesia
Jalan Taman Pejambon No. 6
Jakarta

2.

From: 交通部臺灣區國道高速公路局 [mailto:n_khsa@freeway.gov.tw]
Sent: Sunday, September 25, 2011 9:47 PM
To: xxxx
Subject: 雙十國慶 國道信息必備

       今年國慶日有三天連假,交通部高速公路局為紓解返鄉及外出車流,計畫十月八日(週六)至十日(週一)連續三天,每天淩晨零點至七點免收通行費。 
Even this year, a three-day National Day holiday, the Ministry of Highways Agency to return home and go out to relieve traffic, plan 十月 八日 (周六) 10 (Mon) consecutive days, seven free daily 0:00 to tolls.
 

3.
 From: Tai Long [mailto:tailong.email@msa.hinet.net]
Sent: Thursday, September 22, 2011 9:17 PM
To: xxxx
Subject: FW:高手圖解通貨膨脹
 

4.

From: heping [mailto:heping.a57@msa.hinet.net]
Sent: Monday, September 26, 2011 8:42 PM
To: xxxxxx


報載,日前立法院院會通過民進黨團提出老農津貼加碼案逕付二讀,將老農津貼由新台幣六千元提高到七千元。乍聽之下似乎合理,但若深入探討,不難發現加碼論述不僅荒謬,更加深老人群體的相對剝奪感,毫無公平正義可言。筆者反對政府加碼老農津貼,大致可歸納為七點。
 GOOGLE translate
Subject: overweight farmer against the government subsidy  (hmm, not sure translation is right - M)
 According to newspaper reports, the Legislative Yuan recently proposed by the DPP group path farmer subsidy to pay the Second Reading of coded case, the farmer benefits from the NT $ six thousand yuan to 7,000. Scarcely seems reasonable, but if the depth is not difficult to find not only absurd discussion overweight, elderly groups deepened a sense of relative deprivation, there is no justice at all. I oppose the government overweight elderly farmers' subsidy can be broadly grouped into seven.

Message Headers

1. Date of the SEANWFZ Direct Consultations between ASEAN and P5 Nuclear Weapon States, New York

Received: (qmail 15282 invoked from network); 20 Sep 2011 11:43:17 -0000
Received: from nm30-vm4.bullet.mail.ne1.yahoo.com (HELO nm30-vm4.bullet.mail.ne1.yahoo.com) (98.138.91.190)
  by xxxxxxxx
Received: from [98.138.90.55] by nm30.bullet.mail.ne1.yahoo.com with NNFMP; 20 Sep 2011 11:43:17 -0000
Received: from [98.138.89.245] by tm8.bullet.mail.ne1.yahoo.com with NNFMP; 20 Sep 2011 11:43:17 -0000
Received: from [127.0.0.1] by omp1059.mail.ne1.yahoo.com with NNFMP; 20 Sep 2011 11:43:17 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 207403.43300.bm@omp1059.mail.ne1.yahoo.com
Received: (qmail 13317 invoked by uid 60001); 20 Sep 2011 11:43:17 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1316518997; bh=StwR1QsG/R1k8fWRiEIWAHsH2j2NRVdmZQPs7eopHQw=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=aVhT/wyttouZH/+86SlunHqmNw2CBX/go0ryZLIGG6vMp2nWJP9rxQ3Ri4FyEcorDwcrRTEbjwXOxpSiOv2x39eb/Y5qNGLyUDMwnKPxz1WzNfpZZ8pBNkM3ZnKN4ScoIBmih5LwCCRuGQhH6T3w5iSAeIjiAwaY9iA4vl3Cyzk=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;
  b=I+iEY+BVkromI97O3AjTKjzb1UEuQ2vO1uR3hIIs2/TOS5iGwf/trgsGD1nF2jJ2Hfeq3Ra7H7julLTyjppyKT7+0cwsDH9WuUQ1kmm3HU5Ut2SvWRSv2KIqNd/W/Nhi4fd6OSV4DuNZbCtAvt/jWvjZc9rQ2/hHZgtx8Be+Yps=;
X-YMail-OSG: 9B9TcqMVM1lHy_qBRUCFG29xoWvxONzLzLbiV71v.bXh9HW
 _KB8tIyi4e4mTIicpS8Fidvcae9wy66FDe121o8.SJDUhr3MMmgAz5XLGOHJ
 NlCnltWDUAQYDP6kNW.rAMJyOGa1Cr5rbWKjC4YcvcNSlniDihq5WYQI2cmp
 UN7otHriwlZ64tFo1p2nWmzvWjKqVU8.qlgWyU6UOCphvzTk4o9B1XnkAVnR
 ZhrSvfqsjsuMcXout6srmsecYdZII_OjDbhGCqjubiFgzhNTteUye8K2LPZq
 JjHvdBiQN7PyOl0BitRaaMS504m89Xlf0IeC5WaA.afa8wphIn4KR4TBGD8b
 p_FT3gdoJqjC5850J7olnYAX6OsKqtERa4iBm38VJUaO9oEZS
Received: from [68.70.82.155] by web125004.mail.ne1.yahoo.com via HTTP; Tue, 20 Sep 2011 04:43:17 PDT
X-Mailer: YahooMailClassic/14.0.5 YahooMailWebService/0.8.113.315625
Message-ID: <1316518997.12581.YahooMailClassic@web125004.mail.ne1.yahoo.com>
Date: Tue, 20 Sep 2011 04:43:17 -0700
From: Indonesia Asean
Subject: Date of the SEANWFZ Direct Consultations between ASEAN and P5 Nuclear Weapon States, New York
To: xxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="-1310913832-1844512174-1316518997=:12581"
----------------------------------------------------------------------------------------
2. 雙十國慶 國道信息必備 Double Ten National Road information necessary

Received: (qmail 15078 invoked from network); 26 Sep 2011 01:47:49 -0000
Received: from msr10.hinet.net (HELO msr10.hinet.net) (168.95.4.110)
  by
Received: from rabbit-4c4bd4d2 (59-120-1-169.HINET-IP.hinet.net [59.120.1.169])
    by msr10.hinet.net (8.14.2/8.14.2) with SMTP id p8Q1jwjY015142
    for ; Mon, 26 Sep 2011 09:47:58 +0800 (CST)
Date: Mon, 26 Sep 2011 09:47:04 +0800
From: "=?gb2312?B?vbvNqLK/xV+es4Veh/i1wLjfy9m5q8K3vtY=?="
To: "xxxxxxxxxxxxx>
Subject: =?gb2312?B?63DKrof4kWMgh/i1wNDFz6Kx2ILk?=
Message-ID: <201109260944575125767@freeway.gov.tw>
X-mailer: Foxmail 6, 15, 201, 26 [cn]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====001_Dragon047735488433_====="
----------------------------------------------------------------------------------------
3. FW:高手圖解通貨膨脹 FW: expert graphic inflation

  Received: (qmail 4909 invoked from network); 23 Sep 2011 01:17:47 -0000
Received: from msr4.hinet.net (HELO msr4.hinet.net) (168.95.4.104)
  by
Received: from rabbit-4c4bd4d2 (59-120-16-116.HINET-IP.hinet.net [59.120.16.116])
    by msr4.hinet.net (8.14.2/8.14.2) with SMTP id p8N0vmGJ002523
    for xx; Fri, 23 Sep 2011 09:17:31 +0800 (CST)
Date: Fri, 23 Sep 2011 09:16:38 +0800
From: "Tai Long"
To: xxxxx
Subject: =?gb2312?B?Rlc6uN/K1ohEveLNqNibxfLDmw==?=
Message-ID: <201109230856536056629@msa.hinet.net>
X-mailer: Foxmail 6, 15, 201, 26 [cn]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====001_Dragon217161388548_====="
----------------------------------------------------------------------------------------
4 .反對政府加碼老農津貼

Received: (qmail 30334 invoked from network); 27 Sep 2011 00:43:00 -0000
Received: from msr6.hinet.net (HELO msr6.hinet.net) (168.95.4.106)
  by xxxxxxxxxxxxxxxxxxx
Received: from rabbit-4c4bd4d2 (59-120-1-169.HINET-IP.hinet.net [59.120.1.169])
    by msr6.hinet.net (8.14.2/8.14.2) with SMTP id p8R0Yigt007656
    for xxxxxx; Tue, 27 Sep 2011 08:42:57 +0800 (CST)
Date: Tue, 27 Sep 2011 08:42:09 +0800
From: "heping"
To: xxxxxxxxxx
Subject: =?gb2312?B?t7SMptX+uK6807RhwM/ecr3y2U4=?=
Message-ID: <201109270833519411080@msa.hinet.net>
X-mailer: Foxmail 6, 15, 201, 26 [cn]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====001_Dragon686802606465_====="

Senders

1
IP:    68.70.82.155
Decimal:    1145459355
Hostname:    68-70-82-155.static.kc.surewest.net
ISP:    SureWest Kansas Operations, LLC
Organization:    SureWest Kansas Operations, LLC
State/Region:    Kansas
City:    Overland Park
----------------------------------------------------------------------------------------

2
IP:    59.120.1.169
Decimal:    997720489
Hostname:    59-120-1-169.hinet-ip.hinet.net
ISP:    CHTD, Chunghwa Telecom Co., Ltd.
Organization:    CHTD, Chunghwa Telecom Co., Ltd.
----------------------------------------------------------------------------------------

3
IP:    59.120.16.116
Decimal:    997724276
Hostname:    59-120-16-116.hinet-ip.hinet.net
ISP:    CHTD, Chunghwa Telecom Co., Ltd.
Organization:    Chunghwa Telecom Data Communication Business Group
Country:    Taiwan
State/Region:    T'ai-pei

----------------------------------------------------------------------------------------
4
IP:    59.120.1.169
Decimal:    997720489
Hostname:    59-120-1-169.hinet-ip.hinet.net
ISP:    CHTD, Chunghwa Telecom Co., Ltd.
Organization:    CHTD, Chunghwa Telecom Co., Ltd.


Automated Scans

1
 deskpan.dll
Submission date:2011-09-24 03:50:02 (UTC)
Result:16 /44 (36.4%)
   http://www.virustotal.com/file-scan/report.html?id=41201ded2031a56419c1c822bd1622046665ea69dede96d873908c07fe78cd1e-1316836202
AntiVir     7.11.15.29     2011.09.23     TR/Hijacker.Gen
Antiy-AVL     2.0.3.7     2011.09.23     Trojan/Win32.Small.gen
AVG     10.0.0.1190     2011.09.23     BackDoor.Generic14.AJZQ.dropper
BitDefender     7.2     2011.09.24     Dropped:Trojan.CryptRedol.Gen.3
ByteHero     1.0.0.1     2011.09.23     Virus.Win32.Part.a
F-Secure     9.0.16440.0     2011.09.23     Dropped:Trojan.CryptRedol.Gen.3
Fortinet     4.3.370.0     2011.09.24     -
GData     22     2011.09.24     Dropped:Trojan.CryptRedol.Gen.3
Jiangmin     13.0.900     2011.09.23     TrojanDownloader.Small.bjqc
Kaspersky     9.0.0.837     2011.09.24     HEUR:Trojan.Win32.Generic
Microsoft     1.7702     2011.09.23     Backdoor:Win32/Simbot.gen
nProtect     2011-09-23.01     2011.09.23     Dropped:Trojan.CryptRedol.Gen.3
TheHacker     6.7.0.1.307     2011.09.23     Trojan/Downloader.Small.auqu
VBA32     3.12.16.4     2011.09.23     Trojan-Downloader.Win32.Small.auqu
VIPRE     10563     2011.09.24     Trojan.Win32.Generic!BT
MD5   : 90c88267efd63fd8e22fb0809be372bc

 1_multipart_xF8FF_2_Letter 878-Date Direct Consultation.doc
2011-09-28 02:06:31 (UTC)
0 /44 (0.0%)
MD5   : 027ada87ca5051f0c4108a0346e9b213

 ----------------------------------------------------------------------------------------

2

deskpan.dll
2011-09-28 04:22:18 (UTC)
http://www.virustotal.com/file-scan/report.html?id=ae6f4f1f4483149c39f3741e2b4b2c9964ae80f1322dcba0c6d7781a57f03bef-1317183738
Result:15 /43 (34.9%)

Antivirus     Version     Last Update     Result
AntiVir     7.11.15.52     2011.09.27     TR/Hijacker.Gen
Antiy-AVL     2.0.3.7     2011.09.27     Trojan/Win32.Small.gen
AVG     10.0.0.1190     2011.09.28     BackDoor.Generic14.AJZQ.dropper
BitDefender     7.2     2011.09.28     Dropped:Trojan.CryptRedol.Gen.3
ByteHero     1.0.0.1     2011.09.23     Virus.Win32.Part.a
F-Secure     9.0.16440.0     2011.09.28     Dropped:Trojan.CryptRedol.Gen.3
GData     22     2011.09.28     Dropped:Trojan.CryptRedol.Gen.3
Jiangmin     13.0.900     2011.09.27     TrojanDownloader.Small.bjqc
Kaspersky     9.0.0.837     2011.09.28     HEUR:Trojan.Win32.Generic
Microsoft     1.7702     2011.09.27     Backdoor:Win32/Simbot.gen
nProtect     2011-09-27.01     2011.09.27     Dropped:Trojan.CryptRedol.Gen.3
Rising     23.77.01.04     2011.09.28     Suspicious
TheHacker     6.7.0.1.312     2011.09.27     Trojan/Downloader.Small.auqu
VBA32     3.12.16.4     2011.09.27     Trojan-Downloader.Win32.Small.auqu
Additional information
MD5   : 95eba76c46e6a5e516de4b1a2cbe052e

File name:
____.doc
Submission date:
2011-09-28 16:46:17 (UTC)
Result:0/ 43 (0.0%)
MD5   : a67c7842e395dfd82b133c31d1cc83ee

----------------------------------------------------------------------------------------
3
deskpan.dll
2011-09-28 04:22:18 (UTC)
http://www.virustotal.com/file-scan/report.html?id=ae6f4f1f4483149c39f3741e2b4b2c9964ae80f1322dcba0c6d7781a57f03bef-1317183738
Result:15 /43 (34.9%)

Antivirus     Version     Last Update     Result
AntiVir     7.11.15.52     2011.09.27     TR/Hijacker.Gen
Antiy-AVL     2.0.3.7     2011.09.27     Trojan/Win32.Small.gen
AVG     10.0.0.1190     2011.09.28     BackDoor.Generic14.AJZQ.dropper
BitDefender     7.2     2011.09.28     Dropped:Trojan.CryptRedol.Gen.3
ByteHero     1.0.0.1     2011.09.23     Virus.Win32.Part.a
F-Secure     9.0.16440.0     2011.09.28     Dropped:Trojan.CryptRedol.Gen.3
GData     22     2011.09.28     Dropped:Trojan.CryptRedol.Gen.3
Jiangmin     13.0.900     2011.09.27     TrojanDownloader.Small.bjqc
Kaspersky     9.0.0.837     2011.09.28     HEUR:Trojan.Win32.Generic
Microsoft     1.7702     2011.09.27     Backdoor:Win32/Simbot.gen
nProtect     2011-09-27.01     2011.09.27     Dropped:Trojan.CryptRedol.Gen.3
Rising     23.77.01.04     2011.09.28     Suspicious
TheHacker     6.7.0.1.312     2011.09.27     Trojan/Downloader.Small.auqu
VBA32     3.12.16.4     2011.09.27     Trojan-Downloader.Win32.Small.auqu
Additional information
MD5   : 95eba76c46e6a5e516de4b1a2cbe052e

File name:
___________________.doc
Submission date:2011-09-28 16:49:14 (UTC)
MD5   : 9bbdc627e72941c4a7f15aaff1faa934

----------------------------------------------------------------------------------------
4
deskpan.dll
2011-09-28 04:22:18 (UTC)
http://www.virustotal.com/file-scan/report.html?id=ae6f4f1f4483149c39f3741e2b4b2c9964ae80f1322dcba0c6d7781a57f03bef-1317183738
Result:15 /43 (34.9%)

Antivirus     Version     Last Update     Result
AntiVir     7.11.15.52     2011.09.27     TR/Hijacker.Gen
Antiy-AVL     2.0.3.7     2011.09.27     Trojan/Win32.Small.gen
AVG     10.0.0.1190     2011.09.28     BackDoor.Generic14.AJZQ.dropper
BitDefender     7.2     2011.09.28     Dropped:Trojan.CryptRedol.Gen.3
ByteHero     1.0.0.1     2011.09.23     Virus.Win32.Part.a
F-Secure     9.0.16440.0     2011.09.28     Dropped:Trojan.CryptRedol.Gen.3
GData     22     2011.09.28     Dropped:Trojan.CryptRedol.Gen.3
Jiangmin     13.0.900     2011.09.27     TrojanDownloader.Small.bjqc
Kaspersky     9.0.0.837     2011.09.28     HEUR:Trojan.Win32.Generic
Microsoft     1.7702     2011.09.27     Backdoor:Win32/Simbot.gen
nProtect     2011-09-27.01     2011.09.27     Dropped:Trojan.CryptRedol.Gen.3
Rising     23.77.01.04     2011.09.28     Suspicious
TheHacker     6.7.0.1.312     2011.09.27     Trojan/Downloader.Small.auqu
VBA32     3.12.16.4     2011.09.27     Trojan-Downloader.Win32.Small.auqu
Additional information
MD5   : 95eba76c46e6a5e516de4b1a2cbe052e


__________.doc
Result:
0 /42 (0.0%)
Additional information
MD5   : 13bf854264b79b99b0b5e501c797693c


Payload

I think i managed to trigger the exploit once but I could not reproduce it. The first is different from the other three, it was meant for USA targets. The others are from Taiwan and meant for targets in Taiwan.
Trojan taidoor is in all of the samples


5 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Just a quick note. There needs to be a '.' between the folder name and the bracket of the classid. For more information see http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html

    Delete & Edit - wrote 'file' rather 'folder'

    ReplyDelete
  3. A very good blog about malware.
    Explained about file information,messages and automated scans etc.

    Thanks.

    ReplyDelete